Commit Graph

44965 Commits

Author SHA1 Message Date
Alan Guo Xiang Tan
06a70d249b
SECURITY: Sanitize PendingPost titles before rendering to prevent XSS (#19727)
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2023-01-05 08:51:00 +08:00
Alan Guo Xiang Tan
7bd83ef6b5
SECURITY: BCC active user emails from group SMTP (#19724)
When sending emails out via group SMTP, if we
are sending them to non-staged users we want
to mask those emails with BCC, just so we don't
expose them to anyone we shouldn't. Staged users
are ones that have likely only interacted with
support via email, and will likely include other
people who were CC'd on the original email to the
group.

Co-authored-by: Martin Brennan <martin@discourse.org>
2023-01-05 08:50:54 +08:00
David Taylor
c77a9f18be
DEV: Use ruby-2.7 for stable branch CI (#19749) 2023-01-05 08:50:22 +08:00
Selase Krakani
fbd6c300d2
SECURITY: Restrict unlisted topic creation (#19258) 2022-12-02 15:55:17 +00:00
Selase Krakani
a65c3ba079
FIX: Fix failing spec caused by unpersisted user instance (#19288)
Active Record's `to_sql` method seems to return an empty string instead
of the expected SQL query when called on a query involving an
unpersisted model instance.

This replaces the admin `user` used in the specs with a persisted instance.
2022-12-02 03:28:05 +00:00
Daniel Waterworth
1fbcf57767
Version bump to v2.8.13 (#19244) 2022-11-29 11:12:55 -06:00
Daniel Waterworth
fdc4984ade SECURITY: Filter tags in user notifications for visibility 2022-11-29 10:36:02 -06:00
Daniel Waterworth
f0b9ce42d6 FIX: When filtering tags for visibility, respect tag group permissions (#19152) 2022-11-29 10:36:02 -06:00
Martin Brennan
27d93b4658
FIX: Backport invite fixes from main (#19218)
Backports the following:

* 40e8912395
* bbcb69461f

Which were showing an error when users were
trying to claim invites multiple times and
a subsequent follow-up fix.
2022-11-28 15:15:00 +10:00
Martin Brennan
15823d4a50
Version bump to v2.8.12 (#19214) 2022-11-28 11:14:35 +10:00
Martin Brennan
131c5cff25
SECURITY: Hide notifications for inaccessible topics (#19209)
Filter notifications the user cannot see anymore
via guardian.can_see_topic_ids
2022-11-28 10:42:05 +10:00
David Taylor
bf30689059 Disable ember-cli-based CI tests for stable branch
The upgrade of node in our discourse_test docker image has caused these to start failing. Ember-cli assets are default-disabled on the stable branch, so there is little need to run these tests.
2022-11-17 14:17:45 +00:00
David Taylor
b25f469018 PERF: Update s3:expire_missing_assets to delete in batches (#18908)
Some sites may have thousands of stale assets - deleting them one-by-one is very slow.

Followup to e8570b5cc9
2022-11-17 14:17:45 +00:00
David Taylor
006a857272 Fix and improve s3:expire_missing_assets task (#18863)
- Ensure it works with prefixed S3 buckets
- Perform a sanity check that all current assets are present on S3 before starting deletion
- Remove the lifecycle rule configuration and delete expired assets immediately. This task should be run post-deploy anyway, so adding a 10-day window is not required
2022-11-17 14:17:45 +00:00
David Taylor
1291fc1afe PERF: Correct should_skip? logic in s3:upload (#18862)
This task is supposed to skip uploading if the asset is already present in S3. However, when a bucket 'folder path' was configured, this logic was broken and so the assets would be re-uploaded every time.

This commit fixes that logic to include the bucket 'folder path' in the check
2022-11-17 14:17:45 +00:00
Daniel Waterworth
c0971b19cb
FIX: Update GitImporter to match main (#18974)
Fixes:

 * An issue where the git url gets updated when it shouldn't,
 * Fetching from gitlab,
2022-11-14 12:28:00 -06:00
Martin Brennan
e67d5f222c
Version bump to v2.8.11 (#19008) 2022-11-14 13:14:01 +10:00
Martin Brennan
aca0f239c8
SECURITY: Prevent email from being nil in InviteRedeemer (#19005)
This commit adds some protections in InviteRedeemer to ensure that email
can never be nil, which could cause issues with inviting the invited
person to private topics since there was an incorrect inner join.

If the email is nil and the invite is scoped to an email, we just use
that invite.email unconditionally.  If a redeeming_user (an existing
    user) is passed in when redeeming an email, we use their email to
override the passed in email.  Otherwise we just use the passed in
email.  We now raise an error after all this if the email is still nil.
This commit also adds some tests to catch the private topic fix, and
some general improvements and comments around the invite code.

This commit also includes a migration to delete TopicAllowedUser records
for users who were mistakenly added to topics as part of the invite
redemption process.
2022-11-14 12:02:09 +10:00
Bianca Nenciu
3a985c82c7
SECURITY: Correctly render link title in draft preview (#18958)
The additional unescaping could cause link titles to be rendered
incorrectly.
2022-11-09 15:54:47 +02:00
David Taylor
ce28fd2e1d
Version bump to v2.8.10 (#18824) 2022-11-01 17:12:07 +00:00
David Taylor
7e4e8c8ad2
SECURITY: Fix invite link validation (stable) (#18818)
See https://github.com/discourse/discourse/security/advisories/GHSA-x8w7-rwmr-w278

Co-authored-by: Martin Brennan <martin@discourse.org>
2022-11-01 16:50:14 +00:00
David Taylor
ec9734bc42
SECURITY: Expand and improve SSRF Protections (stable) (#18816)
See https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
2022-11-01 16:34:12 +00:00
Alan Guo Xiang Tan
65820e8ac1
SECURITY: Restrict display of topic titles associated with user badges (#18768) (#18770)
Before this commit, we did not have guardian checks in place to determine if a
topic's title associated with a user badge should be displayed or not.
This means that the topic title of topics with restricted access
could be leaked to anon and users without access if certain conditions
are met. While we will not specify the conditions required, we have internally
assessed that the odds of meeting such conditions are low.

With this commit, we will now apply a guardian check to ensure that the
current user is able to see a topic before the topic's title is included
in the serialized object of a `UserBadge`.
2022-10-27 11:48:00 +08:00
Alan Guo Xiang Tan
365eef3a64
DEV: Introduce TopicGuardian#can_see_topic_ids method (#18692) (#18765)
Before this commit, there was no way for us to efficiently check an
array of topics for which a user can see. Therefore, this commit
introduces the `TopicGuardian#can_see_topic_ids` method which accepts an
array of `Topic#id`s and filters out the ids which the user is not
allowed to see. The `TopicGuardian#can_see_topic_ids` method is meant to
maintain feature parity with `TopicGuardian#can_see_topic?` at all
times so a consistency check has been added in our tests to ensure that
`TopicGuardian#can_see_topic_ids` returns the same result as
`TopicGuardian#can_see_topic?`. In the near future, the plan is for us
to switch to `TopicGuardian#can_see_topic_ids` completely but I'm not
doing that in this commit as we have to be careful with the performance
impact of such a change.

This method is currently not being used in the current commit but will
be relied on in a subsequent commit.
2022-10-27 07:46:28 +08:00
Michael Fitz-Payne
29f0bc4ea2 DEV(cache_critical_dns): add caching for MessageBus Redis hostname
We are already caching any DB_HOST and REDIS_HOST (and their
accompanying replicas), we should also cache the resolved addresses for
the MessageBus specific Redis. This is a noop if no MB redis is defined
in config. A side effect is that the MB will also support SRV lookup and
priorities, following the same convention as the other cached services.

The port argument was added to redis_healthcheck so that the script
supports a setup where Redis is running on a non-default port.

Did some minor refactoring to improve readability when filtering out the
CRITICAL_HOST_ENV_VARS. The `select` block was a bit confusing, so the
sequence was made easier to follow.

We were coercing an environment variable to an int in a few places, so
the `env_as_int` method was introduced to do that coercion in one place and
for convenience purposes default to a value if provided.

See /t/68301/30.
2022-10-26 09:22:20 +10:00
Michael Fitz-Payne
bc8ad2a5d2 DEV(cache_critical_dns): add option to run once and exit
There are situations where a container running Discourse may want to
cache the critical DNS services without running the cache_critical_dns
service, for example running migrations prior to running a full bore
application container.

Add a `--once` argument for the cache_critical_dns script that will
only execute the main loop once, and return the status code for the
script to use when exiting. 0 indicates no errors occured during SRV
resolution, and 1 indicates a failure during the SRV lookup.

Nothing is reported to prometheus in run_once mode. Generally this
mode of operation would be a part of a unix pipeline, in which the exit
status is a more meaningful and immediate signal than a prometheus metric.

The reporting has been moved into it's own method that can be called
only when the script is running as a service.

See /t/69597.
2022-10-26 09:22:20 +10:00
Michael Fitz-Payne
7804eb44e6 DOC(cache_critical_dns): add program description
Describes the behaviour and configuration of the cache_critical_dns
script, mainly cribbed from commit messages. Tries to make this program
a bit less of an enigma.
2022-10-26 09:22:20 +10:00
Michael Fitz-Payne
cf86886448 DEV(cache_critical_dns): improve postgres_healthcheck
The `PG::Connection#ping` method is only reliable for checking if the
given host is accepting connections, and not if the authentication
details are valid.

This extends the healthcheck to confirm that the auth details are
able to both create a connection and execute queries against the
database.

We expect the empty query to return an empty result set, so we can
assert on that. If a failure occurs for any reason, the healthcheck will
return false.
2022-10-26 09:22:20 +10:00
Gabe Pacuilla
5340b09ad1 FIX(cache_critical_dns): use correct DISCOURSE_DB_USERNAME envvar (#16862) 2022-10-26 09:22:20 +10:00
Gabe Pacuilla
ab88591536 FIX(cache_critical_dns): use discourse database name and user by default (#16856) 2022-10-26 09:22:20 +10:00
Michael Fitz-Payne
924ef90eed DEV(cache_critical_dns): add SRV priority tunables
An SRV RR contains a priority value for each of the SRV targets that
are present, ranging from 0 - 65535. When caching SRV records we may want to
filter out any targets above or below a particular threshold.

This change adds support for specifying a lower and/or upper bound on
target priorities for any SRV RRs. Any targets returned when resolving
the SRV RR whose priority does not fall between the lower and upper
thresholds are ignored.

For example: Let's say we are running two Redis servers, a primary and
cold server as a backup (but not a replica). Both servers would pass health
checks, but clearly the primary should be preferred over the backup
server. In this case, we could configure our SRV RR with the primary
target as priority 1 and backup target as priority 10. The
`DISCOURSE_REDIS_HOST_SRV_LE` could then be set to 1 and the target with
priority 10 would be ignored.

See /t/66045.
2022-10-26 09:22:20 +10:00
Michael Fitz-Payne
cbf7d16d7c FIX: remove refresh seconds override on cache_critical_dns (#16572)
This removes the option to override the sleep time between caching of
DNS records. The override was invalid because `''.to_i` is 0 in Ruby,
causing a tight loop calling the `run` method.
2022-10-26 09:22:20 +10:00
Michael Fitz-Payne
8293f11f53 FIX: cache_critical_dns - add TLS support for Redis healthcheck
For Redis connections that operate over TLS, we need to ensure that we
are setting the correct arguments for the Redis client. We can utilise
the existing environment variable `DISCOURSE_REDIS_USE_SSL` to toggle
this behaviour.

No SSL verification is performed for two reasons:
- the Discourse application will perform a verification against any FQDN
  as specified for the Redis host
- the healthcheck is run against the _resolved_ IP address for the Redis
  hostname, and any SSL verification will always fail against a direct
  IP address

If no SSL arguments are provided, the IP address is never cached against
the hostname as no healthy address is ever found in the HealthyCache.
2022-10-26 09:22:20 +10:00
Michael Fitz-Payne
971409741f DEV: refactor cache_critical_dns for SRV RR awareness
Modify the cache_critical_dns script for SRV RR awareness. The new
behaviour is only enabled when one or more of the following environment
variables are present (and only for a host where the `DISCOURSE_*_HOST_SRV`
variable is present):
- `DISCOURSE_DB_HOST_SRV`
- `DISCOURSE_DB_REPLICA_HOST_SRV`
- `DISCOURSE_REDIS_HOST_SRV`
- `DISCOURSE_REDIS_REPLICA_HOST_SRV`

Some minor changes in refactor to original script behaviour:
- add Name and SRVName classes for storing resolved addresses for a hostname
- pass DNS client into main run loop instead of creating inside the loop
- ensure all times are UTC
- add environment override for system hosts file path and time between DNS
  checks mainly for testing purposes

The environment variable for `BUNDLE_GEMFILE` is set to enables Ruby to
load gems that are installed and vendored via the project's Gemfile.
This script is usually not run from the project directory as it is
configured as a system service (see
71ba9fb7b5/templates/cache-dns.template.yml (L19))
and therefore cannot load gems like `pg` or `redis` from the default
load paths. Setting this environment variable configures bundler to look
in the correct project directory during it's setup phase.

When a `DISCOURSE_*_HOST_SRV` environment variable is present, the
decision for which target to cache is as follows:
- resolve the SRV targets for the provided hostname
- lookup the addresses for all of the resolved SRV targets via the
  A and AAAA RRs for the target's hostname
- perform a protocol-aware healthcheck (PostgreSQL or Redis pings)
- pick the newest target that passes the healthcheck

From there, the resolved address for the SRV target is cached against
the hostname as specified by the original form of the environment
variable.

For example: The hostname specified by the `DISCOURSE_DB_HOST` record
is `database.example.com`, and the `DISCOURSE_DB_HOST_SRV` record is
`database._postgresql._tcp.sd.example.com`. An SRV RR lookup will return
zero or more targets. Each of the targets will be queried for A and AAAA
RRs. For each of the addresses returned, the newest address that passes
a protocol-aware healthcheck will be cached. This address is cached so
that if any newer address for the SRV target appears we can perform a
health check and prefer the newer address if the check passes.

All resolved SRV targets are cached for a minimum of 30 minutes in memory
so that we can prefer newer hosts over older hosts when more than one target
is returned. Any host in the cache that hasn't been seen for more than 30
minutes is purged.

See /t/61485.
2022-10-26 09:22:20 +10:00
David Taylor
9524c1320a DEV: Include DISCOURSE_REDIS_REPLICA_HOST in cache_critical_dns (#15877)
This is the replacement for DISCOURSE_REDIS_SLAVE_HOST
2022-10-26 09:22:20 +10:00
Alan Guo Xiang Tan
689ba22db0
DEV: Remove harded id when fabricating in tests (#18729) (#18730)
Hardcoding ids always lead to sadness for our test suite
2022-10-25 06:33:36 +08:00
Alan Guo Xiang Tan
6c97cc1834
DEV: Fabricate instead of just building topic, post and user in tests (#18698) (#18717)
Building does not persist the object in the database which is
unrealistic since we're mostly dealing with persisted objects in
production.

In theory, this will result our test suite taking longer to run since we
now have to write to the database. However, I don't expect the increase
to be significant and it is actually no different than us adding new
tests which fabricates more objects.
2022-10-24 07:28:02 +08:00
Jarek Radosz
1503ec07c5
Version bump to v2.8.9 (#18430) 2022-09-29 21:00:32 +02:00
Jarek Radosz
65017fe920
SECURITY: moderator shouldn't be able to import a theme via API (stable) (#18420)
* SECURITY: moderator shouldn't be able to import a theme via API.
* DEV: apply `AdminConstraint` for all the "themes" routes.

Co-authored-by: Vinoth Kannan <svkn.87@gmail.com>
2022-09-29 20:13:34 +02:00
Jarek Radosz
4302097b3b
SECURITY: Prevent arbitrary file write when decompressing files (stable) (#18423)
* SECURITY: Prevent arbitrary file write when decompressing files
* FIX: Allow decompressing files into symlinked directories

Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
Co-authored-by: Gerhard Schlager <gerhard.schlager@discourse.org>
2022-09-29 20:07:58 +02:00
Martin Brennan
a896a69c50
SECURITY: Limit user profile field length (#18304)
Adds limits to location and website fields at model and DB level to
match the bio_raw field limits. A limit cannot be added at the DB level
for bio_raw because it is a postgres text field.

The migration here uses version `6.1` instead of `7.0` since `stable`
is not on that version of rails yet, otherwise this is the same as `beta`
apart from also removing the new tests which caused too many conflicts.

Co-authored-by: Alan Guo Xiang Tan gxtan1990@gmail.com
2022-09-21 13:49:25 +10:00
Loïc Guitaut
13517cde7e Version bump to 2.8.8 2022-08-10 15:05:39 +02:00
Krzysztof Kotlarek
4fcffd3fae SECURITY: Limit email invitations to topic 2022-08-10 11:47:14 +02:00
Roman Rizzi
7b8f74439e
Version bump to v2.8.7 (#17700) 2022-07-27 17:28:39 -03:00
Roman Rizzi
af1cb735db
SECURITY: Prevent abuse of the update_activation_email route (stable) 2022-07-27 23:09:09 +03:00
Roman Rizzi
7af25544c3
SECURITY: Do not cache error responses for static assets (stable) 2022-07-27 22:58:38 +03:00
David Taylor
f0ef186a4e
FIX: Allow Symbol objects to be deserialized in PostRevision (stable) (#17512)
Followup to bb287c6c74
2022-07-15 13:16:20 +01:00
David Taylor
5d2ecce3f6
FIX: Allow Time objects to be deserialized in PostRevision (stable) (#17502)
Followup to bb287c6c74
2022-07-15 00:17:53 +01:00
David Taylor
c75ec7335d
Version bump to v2.8.6 (#17472) 2022-07-13 12:40:16 +01:00
David Taylor
bb287c6c74
SECURITY: Bump Rails to 6.1.6.1 (stable) (#17470)
https://discuss.rubyonrails.org/t/81017
2022-07-13 11:19:55 +01:00